Law Firms, Here’s a New Commentary on Data Security Best Practices For You: Cybersecurity Best Practices

Would have covered this earlier, but blogging and I, well, we were on a break!  🙂 And, then, it got pushed back even more by EDRM’s breaking news earlier this morning. Regardless, on April 7, The Sedona Conference (TSC) and its Working Group 11 on Data Security and Privacy Liability (WG11) announced that The Sedona Conference Commentary on Law Firm Data Security, Public Comment Version (Commentary) has been published for public comment.

As noted in the Introduction to the Commentary, law firms “are—unlike most service providers—ethically bound to maintain the confidentiality of client information, regardless of contractual obligation” and are also “ethically obligated to pursue the best interests of their clients, not just maximize profits…While strides have been made in understanding and addressing data security at law firms, there is consensus that more must be done to secure the sensitive data held by law firms. Tensions have grown as cybersecurity vaults to the top of the national agenda, and it has become increasingly obvious that law firms are more attractive targets for information theft, and less capable of preventing it, than previously thought.”

Aha, the gauntlet has been thrown!  😉

As a result, WG11 “developed a brainstorming group, and then a drafting team, to identify ways that organizations and law firms should approach and address organization concerns about law firm data security”, which led to this Commentary, which is “intended to foster respectful and mutually beneficial dialogue between organizations and their firms regarding organization expectations and law firm capabilities.”  It “seeks to move this dialogue forward by providing best practices focused on data security requirements that are meaningful considering the organization’s obligation to protect the data, the type of data the organization is providing to the law firm, and the law firm’s operating environment. In short, this Commentary intends to provide an effective road map for more efficient, effective communication to address data security issues and scenarios confronted by organizations and the law firms they engage.”

The 57-page PDF Commentary includes a section for Common Criteria and Protocols for Assessing Information Security at a Law Firm, which includes a section for Organization Expectations for Outside Counsel and also a section for Considerations for How an Organization Should Communicate with Outside Counsel About the Security of the Organization’s Data.  There are also two Appendices to help provide a jump start for law firms in addressing security considerations with their clients: 1) Model Clauses for an Engagement Letter and, 2) Sample Law Firm Questionnaire.

As always, the Commentary can be downloaded for FREE, and it’s available here. The Commentary is open for public comment through June 8, 2020. Questions and comments may be sent to  There is also a 90 minute webinar on May 6th at 1:00 p.m. EDT for those who wish to listen to a panel of practitioners who helped develop the Commentary discuss it in detail.

Hat tip to Sharon Nelson’s excellent Ride the Lightning blog for the coverage.


So, what do you think?  Do you think most law firms have sound practices with regard to data security?  Or is this Commentary sorely needed?  Please share any comments you might have or if you’d like to know more about a particular topic.

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by my employer or my clients. eDiscovery Today is made available solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Today should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.

Leave a Reply